New-Tech Europe | February 2019

the system boots, the application will switch from the secure state to the non-secure and execute what is known as the user code. At this point, the application executes just like any other embedded application. The main difference is that the non- secure code can only access secure functions and callbacks through a secure gateway (Figure 6). If the user application attempts to access secure code, memory or peripherals without going through the secure gateway, an exception will be generated. Undoubtedly this means that either there is a bug in the software, or in a production environment, a hacker is attempting to access the system. At this point, the code can then decide how it should thwart the attack, such as restarting the system to remove any injected code that may be running in the non-secure SRAM. Tips and tricks for securing an embedded application with TrustZone There are many techniques that can help improve embedded security. Below are several tips and tricks that will help developers interested in using the Armv8-M architecture with TrustZone: Use the secure zone during reset to establish a root of trust and a trusted execution environment. Put security critical tasks, libraries, and keys into the secure zone. Let the user code be placed in the non-secure zone. To keep things simple, put the RTOS kernel in one place, either the secure or the non-secure zone. Use the MPU in the secure and non-secure zones to improve process isolation. Minimizing the code in the secure zone can help to minimize the secure codes attack surface.

Make sure that secure code clears any secret information from unbanked registers before initiating a transition from the secure to non-secure state. Conclusion Securing a microcontroller-based application for the IoT is important but tricky. Security starts at the hardware level, but many traditional microcontroller families running Cortex-M0+, Cortex-M3/4/7 cores may lack the features necessary to successfully secure the device. Developers can now leverage the new Armv8-M architecture on the Cortex-M23 and Cortex-M33 cores to secure their embedded applications using a rising number of processors using the architecture.

Figure 5: When using TrustZone, developers end up with a multi-project workspace where one project is specifically for the secure code and the other is for the user code. (Image source: Keil)

Figure 6: A TrustZone application starts execution from the secure state and enters the non-secure state once the root of trust has been established. The non-secure state can only make function calls to exposed functions within the secure code, otherwise an exception is thrown. (Image source: Keil)

New-Tech Magazine Europe l 43